Digital certificates and CipherSpec compatibility in IBM MQ
This topic provides information on how to choose appropriate CipherSpecs and digital certificates for your security policy, by outlining the relationship between CipherSpecs and digital certificates in IBM MQ .
In releases prior to IBM WebSphere MQ Version 7.1, all supported TLS CipherSpecs used the RSA algorithm for digital signatures and key agreement. All of the supported types of digital certificate were compatible with all of the supported CipherSpecs, so it was possible to change the CipherSpec for any channel without needing to change digital certificates.
In IBM WebSphere MQ Version 7.1 and later, only a subset of the supported CipherSpecs can be used with all of the supported types of digital certificate. It is therefore necessary to choose an appropriate CipherSpec for your digital certificate. Similarly, if your organization's security policy requires that we use a particular CipherSpec then you must obtain an appropriate digital certificate for that CipherSpec.
The MD5 digital signature algorithm and TLS 1.2
Digital certificates signed using the MD5 algorithm are rejected when the TLS 1.2 protocol is used. This is because the MD5 algorithm is now considered weak by many cryptographic analysts and its use is generally discouraged. To use newer CipherSpecs based on the TLS 1.2 protocol, ensure that the digital certificates do not use the MD5 algorithm in their digital signatures. Older CipherSpecs which use the TLS 1.0 protocols are not subject to this restriction and can continue to use certificates with MD5 digital signatures.
To view the digital signature algorithm for a particular certificate, we can use the runmqakm command:runmqakm -cert -details -db key.kdb -pw password -label cert_labelwhere cert_label is the certificate label of the digital signature algorithm to to display. See Digital certificate labels for details. Note: Although the iKeycmd (runmqckm) tool and the iKeyman (strmqikm) GUI can be used to view a selection of digital signature algorithms, the runmqakm tool provides a wider range. The execution of the runmqakm command produces output displaying the use of the signature algorithm specified:
Label : ibmmqexample
Key Size : 1024
Version : X509 V3
Serial : 4e4e93f1
Issuer : CN=Old Certificate Authority,OU=Test,O=Example,C=US
Subject : CN=Example Queue Manager,OU=Test,O=Example,C=US
Not Before : August 19, 2011 5:48:49 PM GMT+01:00
Not After : August 18, 2012 5:48:49 PM GMT+01:00
Public Key   
    30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
    05 00 03 81 8D 00 30 81 89 02 81 81 00 98 5A 7A
    F0 18 21 EE E4 8A 6E DE C8 01 4B 3A 1E 41 90 3D
    CE 01 3F E6 32 30 6C 23 59 F0 FE 78 6D C2 80 EF
    BC 83 54 7A EB 60 80 62 6B F1 52 FE 51 9D C1 61
    80 A5 1C D4 F0 76 C7 15 6D 1F 0D 4D 31 3E DC C6
    A9 20 84 6E 14 A1 46 7D 4C F5 79 4D 37 54 0A 3B
    A9 74 ED E7 8B 0F 80 31 63 1A 0B 20 A5 99 EE 0A
    30 A6 B6 8F 03 97 F6 99 DB 6A 58 89 7F 27 34 DE
    55 08 29 D8 A9 6B 46 E6 02 17 C3 13 D3 02 03 01
    00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 :    
    09 4E 4F F2 1B CB C1 F4 4F 15 C9 2A F7 32 0A 82
    DA 45 92 9F
Fingerprint : MD5 :    
    44 54 81 7C 58 68 08 3A 5D 75 96 40 D5 8C 7A CB
Fingerprint : SHA256 :    
    3B 47 C6 E7 7B B0 FF 85 34 E7 48 BE 11 F2 D4 35
    B7 9A 79 53 2B 07 F5 E7 65 E8 F7 84 E0 2E 82 55
Signature Algorithm : MD5WithRSASignature (1.2.840.113549.1.1.4)
Value   
    3B B9 56 E6 F2 77 94 69 5B 3F 17 EA 7B 19 D0 A2
    D7 10 38 F1 88 A4 44 1B 92 35 6F 3B ED 99 9B 3A
    A5 A4 FC 72 25 5A A9 E3 B1 96 88 FC 1E 9F 9B F1
    C5 E8 8E CF C4 8F 48 7B 0E A6 BB 13 AE 2B BD D8
    63 2C 03 38 EF DC 01 E1 1F 7A 6F FB 2F 65 74 D0
    FD 99 94 BA B2 3A D5 B4 89 6C C1 2B 43 6D E2 39
    66 6A 65 CB C3 C4 E2 CC F5 49 39 A3 8B 93 5A DD
    B0 21 0B A8 B2 59 5B 24 59 50 44 89 DC 78 19 51
Trust Status : Enabled
The Signature Algorithm line shows that the MD5WithRSASignature
algorithm is used. This algorithm is based upon MD5 and so this digital certificate cannot be used
with the TLS 1.2 CipherSpecs. 
Interoperability of Elliptic Curve and RSA CipherSpecs
Not all CipherSpecs can be used with all digital certificates. There are three types of CipherSpec, denoted by the CipherSpec name prefix. Each type of CipherSpec imposes different restrictions upon the type of digital certificate which may be used. These restrictions apply to all IBM MQ TLS connections, but are particularly relevant to users of Elliptic Curve cryptography.
The following table summarizes the relationships between CipherSpecs and digital certificates:| Type | CipherSpec Name Prefix | Description | Required public key type | Digital signature encryption algorithm | Secret key establishment method | 
|---|---|---|---|---|---|
| 1 | ECDHE_ECDSA_ | CipherSpecs which use Elliptic Curve public keys, Elliptic Curve secret keys, and Elliptic Curve digital signature algorithms. | Elliptic Curve | ECDSA | ECDHE | 
| 2 | ECDHE_RSA_ | CipherSpecs which use RSA public keys, Elliptic Curve secret keys, and RSA digital signature algorithms. | RSA | RSA | ECDHE | 
| 3 | (All others) | CipherSpecs which use RSA public keys and RSA digital signature algorithms. | RSA | RSA | RSA | 
The required public key type column shows the type of public key which the personal certificate must have when using each type of CipherSpec. The personal certificate is the end-entity certificate which identifies the queue manager or client to its remote partner.
You could configure a channel with both a CipherSpec that requires an Elliptic Curve (EC) certificate, and a certificate label for an RSA certificate, or the other way round. You must ensure that the certificate named in the certificate label is appropriate for the channel CipherSpec.
Assuming that we have correctly configured IBM MQ, we can have:- A single queue manager with a mixture of RSA and EC certificates.
- Different channels on the same queue manager using either an RSA or EC certificate.
The digital signature encryption algorithm refers to the encryption algorithm used to validate the peer. The encryption algorithm is used along with a hash algorithm such as MD5, SHA-1 or SHA-256 to compute the digital signature. There are various digital signature algorithms which can be used, for example, RSA with MD5 or ECDSA with SHA-256. In the table, ECDSA refers to the set of digital signature algorithms which use ECDSA; RSA refers to the set of digital signature algorithms which use RSA. Any supported digital signature algorithm in the set may be used, provided it is based upon the stated encryption algorithm.
Type 1 CipherSpecs require that the personal certificate must have an Elliptic Curve public key. When these CipherSpecs are used, Elliptic Curve Diffie Hellman Ephemeral key agreement is used to establish the secret key for the connection.
Type 2 CipherSpecs require that the personal certificate has an RSA public key. When these CipherSpecs are used, Elliptic Curve Diffie Hellman Ephemeral key agreement is used to establish the secret key for the connection.
Type 3 CipherSpecs require that the the personal certificate must have an RSA public key. When these CipherSpecs are used, RSA key exchange is used to establish the secret key for the connection.
This list of restrictions is not exhaustive: depending on the configuration, there might be additional restrictions which can further affect the ability to interoperate. For example, if IBM MQ is configured to comply with the FIPS 140-2 or NSA Suite B standards then this will also limit the range of allowable configurations. Refer to the following section for more information.
If you need to use different types of CipherSpec on the same queue manager or client application, configure an appropriate certificate label and CipherSpec combination on the client definition.
The three types of CipherSpec do not interoperate directly: this is a limitation of the current TLS standards. For example, suppose we have chosen to use the ECDHE_ECDSA_AES_128_CBC_SHA256 CipherSpec for a receiver channel named TO.QM1 on a queue manager named QM1.
ECDHE_ECDSA_AES_128_CBC_SHA256 is a Type 1 CipherSpec, so the remote sender end of channel TO.QM1 must have a personal certificate with an Elliptic Curve key and an ECDSA-based digital signature. If the remote sender channel does not meet these requirements the channel fails to start.
Other channels connecting to queue manager QM1 can use other CipherSpecs, provided that each channel uses a certificate of the correct type for the CipherSpec of that channel. For example, suppose that QM1 uses a sender channel named TO.QM2 to send messages to another queue manager named QM2. The channel TO.QM2 could use the Type 3 CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA256 provided both ends of the channel use certificates containing RSA public keys. The certificate label channel attribute can be used to configure a different certificate for each channel.
When planning your IBM MQ networks, consider carefully which channels require TLS, and ensure that the type of certificates used for each channel are appropriate for use with the CipherSpec on that channel.
To view the digital signature algorithm and public key type for a digital certificate we can use the runmqakm command:runmqakm -cert -details -db key.kdb -pw password -label cert_labelwhere cert_label is the label of the certificate whose digital signature algorithm you need to display. See Digital certificate labels for details. The execution of the runmqakm command will produce output displaying the Public Key Type:
Label : ibmmqexample
Key Size : 384
Version : X509 V3
Serial : 9ad5eeef5d756f41
Issuer : CN=Example Certificate Authority,OU=Test,O=Example,C=US
Subject : CN=Example Queue Manager,OU=Test,O=Example,C=US
Not Before : 21 August 2011 13:10:24 GMT+01:00
Not After : 21 August 2012 13:10:24 GMT+01:00
Public Key
    30 76 30 10 06 07 2A 86 48 CE 3D 02 01 06 05 2B
    81 04 00 22 03 62 00 04 3E 6F A9 06 B6 C3 A0 11
    F8 D6 22 78 FE EF 0A FE 34 52 C0 8E AB 5E 81 73
    D0 97 3B AB D6 80 08 E7 31 E9 18 3F 6B DE 06 A7
    15 D6 9D 5B 6F 56 3B 7F 72 BB 6F 1E C9 45 1C 46
    60 BE F2 DC 1B AD AC EC 64 4C 0E 06 65 6E ED 93
    B8 F5 95 E0 F9 2A 05 D6 21 02 BD FB 06 63 A1 CC
    66 C6 8A 0A 5C 3F F7 D3
Public Key Type : EC_ecPublicKey (1.2.840.10045.2.1)
Fingerprint : SHA1 :
    3C 34 58 04 5B 63 5F 5C C9 7A E7 67 08 2B 84 43
    3D 43 7A 79
Fingerprint : MD5 :
    49 13 13 E1 B2 AC 18 9A 31 41 DC 8C B4 D6 06 68
Fingerprint : SHA256 :
    6F 76 78 68 F3 70 F1 53 CE 39 31 D9 05 C5 C5 9F
    F2 B8 EE 21 49 16 1D 90 64 6D AC EB 0C A7 74 17
Signature Algorithm : EC_ecdsa_with_SHA384 (1.2.840.10045.4.3.3)
Value
    30 65 02 30 0A B0 2F 72 39 9E 24 5A 22 FE AC 95
    0D 0C 6D 6C 2F B3 E7 81 F6 C1 36 1B 9A B0 6F 07
    59 2A A1 4C 02 13 7E DD 06 D6 FE 4B E4 03 BC B1
    AC 49 54 1E 02 31 00 90 0E 46 2B 04 37 EE 2C 5F
    1B 9C 69 E5 99 60 84 84 10 71 1A DA 63 88 33 E2
    22 CC E6 1A 4E F4 61 CC 51 F9 EE A0 8E F4 DC B5
    0B B9 72 58 C3 C7 A4
Trust Status : Enabled
The Public Key Type line in this case shows that the certificate has an Elliptic Curve public key.
The Signature Algorithm line in this case shows that the EC_ecdsa_with_SHA384 algorithm is in use:
this is based upon the ECDSA algorithm. This certificate is therefore only suitable for use with
Type 1 CipherSpecs. 
We can also use the iKeycmd (runmqckm) tool with the same parameters. Also the iKeyman (strmqikm) GUI can be used to view digital signature algorithms if you open the key repository and double-click the label of the certificate. However, you are advised to use the runmqakm tool to view digital certificates because it supports a wider range of algorithms.
Elliptic Curve CipherSpecs and NSA Suite B
When IBM MQ is configured to conform to the Suite B compliant TLS 1.2 profile, the permitted CipherSpecs and digital signature algorithms are restricted as described in NSA Suite B Cryptography in IBM MQ. Additionally, the range of acceptable Elliptic Curve keys is reduced according to the configured security levels.
At the 128-bit Suite B security level, the certificate subject's public key is required to use either the NIST P-256 or NIST P-384 elliptic curve and to be signed with either the NIST P-256 elliptic curve or the NIST P-384 elliptic curve. The runmqakm command can be used to request digital certificates for this security level using a -sig_alg parameter of EC_ecdsa_with_SHA256, or EC_ecdsa_with_SHA384.
At the 192-bit Suite B security level, the certificate subject's public key is required to use the NIST P-384 elliptic curve and to be signed with the NIST P-384 elliptic curve. The runmqakm command can be used to request digital certificates for this security level using a -sig_alg parameter of EC_ecdsa_with_SHA384.
The supported NIST elliptic curves are as follows:| NIST FIPS 186-3 curve name | RFC 4492 curve name | Elliptic Curve key size (bits) | 
|---|---|---|
| P-256 | secp256r1 | 256 | 
| P-384 | secp384r1 | 384 | 
| P-521 | secp521r1 | 521 |